Confidence-based static analysis

ABSTRACT

Systems, methods and program products are provided for confidence-based static analysis, including initiating a static analysis of computer software, associating a confidence value with a first element of the static analysis, determining a current state of the static analysis, calculating an adjusted confidence value in accordance with a confidence adjustment function as applied to the current state and the confidence value associated with the first element, associating the adjusted confidence value with a second element of the static analysis resulting from a transition from the first element, and eliminating the second element from the static analysis if the adjusted confidence value meets elimination criteria.

BACKGROUND

Static analysis of computer software applications typically involves a degree of uncertainty. For example, where a function relies on the value of a variable to determine which of several other functions to call, and the value of the variable may only be known at run-time, static analysis cannot determine which function will be called. However, sound static analysis typically requires consideration of each of the potential paths from the calling function. When analyzing a large, complex application, a sound static analysis may end up tracking a large number of infeasible flows due to conservative control-flow judgments, the result being highly imprecise and leading to a high rate of false-positive reports.

SUMMARY

In one aspect of the invention a method, system and computer program product is provided for confidence-based static analysis to initiate a static analysis of computer software, associate a confidence value with a first element of the static analysis, determine a current state of the static analysis, calculate an adjusted confidence value in accordance with a confidence adjustment function as applied to the current state and the confidence value associated with the first element, associate the adjusted confidence value with a second element of the static analysis resulting from a transition from the first element, and eliminate the second element from the static analysis if the adjusted confidence value meets elimination criteria.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited aspects are attained and can be understood in detail, a more particular description of embodiments of the invention, briefly summarized above, may be had by reference to the appended drawings.

It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are, therefore, not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.

FIG. 1 is a simplified conceptual illustration of a system for confidence-based static analysis, constructed and operative in accordance with an embodiment of the invention;

FIG. 2 is a simplified flowchart illustration of an exemplary method of operation of the system of FIG. 1, operative in accordance with an embodiment of the invention;

FIG. 3 is a simplified pseudo-code example of an implementation of the method of FIG. 2, operative in accordance with an embodiment of the invention;

FIG. 4 is a simplified source-code example of an implementation of the method of FIG. 2, operative in accordance with an embodiment of the invention; and

FIG. 5 is a simplified block diagram illustration of an exemplary hardware implementation of a computing system, constructed and operative in accordance with an embodiment of the invention.

DETAILED DESCRIPTION

The invention is now described within the context of one or more embodiments, although the description is intended to be illustrative of the invention as a whole, and is not to be construed as limiting the invention to the embodiments shown. It is appreciated that various modifications may occur to those skilled in the art that, while not specifically shown herein, are nevertheless within the true spirit and scope of the invention.

As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical data storage device, a magnetic data storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).

Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

Reference is now made to FIG. 1 which is a simplified conceptual illustration of a system for confidence-based static analysis, constructed and operative in accordance with an embodiment of the invention. In the system of FIG. 1, a static analyzer 100 is configured to statically analyze computer software (e.g., a computer software application), such as by analyzing the application source code or bytecode, to identify potential vulnerabilities within the application. In tracking one or more elements in a given domain, static analyzer 100 associates a starting confidence value with each seed element of the analysis, such as a value of 100.

An analysis state determiner 102 is configured to determine a current state of the static analysis, such as when performing a transition during the analysis that results in a modification of the analysis' abstract representation of the application. Analysis state determiner 102 may determine the current state of the static analysis using any method, such as by consulting a static analysis history 104 that is maintained of all the information computed and observed up to the present point in the analysis.

A confidence level adjustor 106 is configured to calculate an adjusted confidence value based on a confidence value of a tracked element, such as when static analyzer 100 reaches a transition point within the application. Confidence level adjustor 106 may calculate the adjusted confidence value by increasing the confidence value of the tracked element, decreasing it, or making no adjustment to it, all in accordance with confidence adjustment function 108 as applied to the current state of the static analysis. Confidence level adjustor 106 preferably sets the confidence value of each element resulting from the transition equal to the adjusted confidence value.

An element tracking eliminator 110 is configured to determine whether or not static analyzer 100 should continue tracking an element by applying elimination criteria 112 to the current confidence level of an element. If the confidence value of an element meets elimination criteria 112, such as where the confidence value is zero or below a given value, the element is not tracked further during the analysis.

Static analyzer 100 preferably presents the results of the static analysis via a computer-controlled output medium, such as a computer display or printout. Any item of the static analysis results may be presented along with a representation of any of the confidence values of any of the domain elements relating to the result, such as an average of the confidence values of the elements, or the lowest confidence value of any of the elements.

Any of the elements shown in FIG. 1 are preferably executed by or otherwise made accessible to a computer 114, such as by implementing any of the elements in computer hardware and/or in computer software embodied in a physically-tangible, computer-readable medium in accordance with conventional techniques.

Reference is now made to FIG. 2 which is a simplified flowchart illustration of an exemplary method of operation of the system of FIG. 1, operative in accordance with an embodiment of the invention. In the method of FIG. 2, static analysis of a computer software application is initiated to track one or more elements in a given domain (step 200). A starting confidence value is associated with each seed element of the analysis, such as a value of 100 (step 202). The current state of the analysis is determined (step 204), such as when performing a transition during the analysis that results in a modification of the analysis' abstract representation of the application, and such as by consulting a history that is maintained of all the information computed and observed up to the present point in the analysis. An adjusted confidence value is calculated based on a confidence value of a tracked element (step 206), such as when a transition point is within the application. The adjusted confidence value may be calculated by increasing the confidence value of the tracked element, decreasing it, or making no adjustment to it, all in accordance with the confidence adjustment function as applied to the current state of the static analysis. The confidence value of each element resulting from the transition is set equal to the adjusted confidence value (step 208). If the confidence value of a domain element meets elimination criteria, such as where the confidence value is zero or below a given value, the domain element is not tracked further during the analysis (step 210).

The method of FIG. 2 may be understood by way of example, such as where it is known that static analysis of an application of a certain size will produce analysis results indicating a certain number of security vulnerabilities on average. When performing a transition during the analysis, the number of security vulnerabilities discovered thus far is checked, and if the number of discovered security vulnerabilities exceeds the expected number of discovered security vulnerabilities, the applicable confidence function may dictate that the confidence values of the resulting domain elements be decreased by a given value. In another example, when performing a transition from a virtual call site to a callee method, an associated call graph is consulted to determine how many resolutions there are for the call site. If the number of resolutions is high, then there is likely imprecision in the disambiguation of the call site, which should be reflected in the confidence value associated with the resulting domain elements, in which case the applicable confidence function may likewise dictate that the confidence values of the resulting domain elements be decreased.

According to one embodiment, the method of FIG. 2 may also be understood by way of a simplified pseudo-code example shown in FIG. 3, where ‘AnalysisArtifact’ represents an element that is tracked in a given domain. In the example of FIG. 3, information other than what is in a particular statement may be used to adjust a confidence level. For example, if the statement is a call site, then the confidence level may be adjusted based on how many resolutions there are for the call site in the program's call graph. Optionally, analysis artifacts that differ only in terms of confidence level may be merged, so as to track fewer artifacts. This is shown by the ‘foreach’ statement.

According to one embodiment, the method of FIG. 2 may also be understood by way of a simplified source-code example shown in FIG. 4. In the example shown, there may be a vulnerable flow from source to sink if an instance of BankDetailsImpl4 is returned through the call to getBankDetails. This is because this subclass of BankDetails overrides virtual method getAccountID, and explicitly uses the ‘name’ parameter in its result, as opposed to BankDetails.getAccountID, which simply maps ‘name’ to its corresponding account ID, which is not controlled by the attacker. By applying the method of FIG. 2, a confidence value, such as 10, is associated with ‘name’. In the example, when a virtual call is encountered the confidence value decreases proportionate to the number of resolutions of the call, where each resolution has “weight” of 2. Thus, since there are 4 resolutions to the call shown, the decrease is (4−1)*2=6, resulting in the following confidence values for ‘name’ and ‘accountID’:

name <−> 10 accountID <−> 10 − 6 = 4

Thus, the overall flow has a relatively low confidence value of 4, which, in the example shown, reflects the certainty that the value reaching the sink was indeed tainted.

The analysis may be configured to make the following choices based on the above information:

-   -   1. It can use this information to assign a low priority to the         source-to-sink flow.     -   2. It can stop tracking variable ‘accountID’ if its confidence         value is below a predefined threshold value below which tainted         variables are not traced.     -   3. It can continue tracking ‘accountID’, but ultimately decide         to eliminate the flow from any report on the analysis results.         For example, the analysis may define the confidence level         associated with a flow as being the average of those associated         with the source and the sink (which is 7 in the example shown),         and use a special threshold value to determine whether flows         should be eliminated.

Referring now to FIG. 5, block diagram 500 illustrates an exemplary hardware implementation of a computing system in accordance with which one or more components/methodologies of the invention (e.g., components/methodologies described in the context of FIGS. 1-2) may be implemented, according to an embodiment of the invention.

As shown, the techniques for controlling access to at least one resource may be implemented in accordance with a processor 510, a memory 512, I/O devices 514, and a network interface 516, coupled via a computer bus 518 or alternate connection arrangement.

It is to be appreciated that the term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.

The term “memory” as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc. Such memory may be considered a computer readable storage medium.

In addition, the phrase “input/output devices” or “I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, scanner, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., speaker, display, printer, etc.) for presenting results associated with the processing unit.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It will be appreciated that any of the elements described hereinabove may be implemented as a computer program product embodied in a computer-readable medium, such as in the form of computer program instructions stored on magnetic or optical storage media or embedded within computer hardware, and may be executed by or otherwise accessible to a computer (not shown).

While the methods and apparatus herein may or may not have been described with reference to specific computer hardware or software, it is appreciated that the methods and apparatus described herein may be readily implemented in computer hardware or software using conventional techniques.

While the invention has been described with reference to one or more specific embodiments, the description is intended to be illustrative of the invention as a whole and is not to be construed as limiting the invention to the embodiments shown. It is appreciated that various modifications may occur to those skilled in the art that, while not specifically shown herein, are nevertheless within the true spirit and scope of the invention. 

What is claimed is:
 1. A system, comprising: a static analyzer configured to: initiate a static analysis of computer software, and associate a confidence value with a first element of said static analysis; an analysis state determiner configured to determine a current state of said static analysis; a confidence level adjustor configured to: calculate an adjusted confidence value in accordance with a confidence adjustment function as applied to said current state and said confidence value associated with said first element, and associate said adjusted confidence value with a second element of said static analysis resulting from a transition from said first element; and an element tracking eliminator configured to eliminate said second element from said static analysis if said adjusted confidence value meets elimination criteria.
 2. The system according to claim 1 wherein said analysis state determiner is configured to determine said current state when performing a transition during said static analysis that results in a modification of an abstract representation of said computer software.
 3. The system according to claim 1 wherein said analysis state determiner is configured to determine said current state by consulting a history of information computed and observed during said static analysis.
 4. The system according to claim 1 wherein said element tracking eliminator is configured to eliminate said second element from said static analysis if said adjusted confidence value is less than or equal to a predefined elimination value.
 5. The system according to claim 1 wherein said static analyzer is configured to present a result of said static analysis via a computer-controlled output medium along with a representation of any of said confidence values of any of said elements relating to said result.
 6. The system according to claim 5 wherein said static analyzer is configured to present said representation as an average of said confidence values.
 7. The system according to claim 5 wherein said static analyzer is configured to present said representation as the lowest confidence value of any of said elements.
 8. A computer program product for confidence-based static analysis, the computer program product comprising: a computer-readable storage medium; and computer-readable program code embodied in said computer-readable storage medium, wherein said computer-readable program code is configured to: initiate a static analysis of computer software, associate a confidence value with a first element of said static analysis, determine a current state of said static analysis, calculate an adjusted confidence value in accordance with a confidence adjustment function as applied to said current state and said confidence value associated with said first element, associate said adjusted confidence value with a second element of said static analysis resulting from a transition from said first element, and eliminate said second element from said static analysis if said adjusted confidence value meets elimination criteria.
 9. The computer program product according to claim 8 wherein said computer-readable program code is configured to determine said current state when performing a transition during said static analysis that results in a modification of an abstract representation of said computer software.
 10. The computer program product according to claim 8 wherein said computer-readable program code is configured to determine said current state by consulting a history of information computed and observed during said static analysis.
 11. The computer program product according to claim 8 wherein said computer-readable program code is configured to eliminate said second element from said static analysis if said adjusted confidence value is less than or equal to a predefined elimination value.
 12. The computer program product according to claim 8 wherein said computer-readable program code is configured to present a result of said static analysis via a computer-controlled output medium along with a representation of any of said confidence values of any of said elements relating to said result.
 13. The computer program product according to claim 12 wherein said computer-readable program code is configured to present said representation as an average of said confidence values.
 14. The computer program product according to claim 12 wherein said computer-readable program code is configured to present said representation as the lowest confidence value of any of said elements. 